Browse code
client-connect: Add documentation for the deferred client connect feature
Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Fix typos, clarify man page section about deferred client-connect
script. Add section to Changes.rst
Patch V6: Convert manpage to rst
It also incorporates suggested changes from Richard Bonhomme
<tincanteksup@gmail.com> [0]
[0] Message-ID: <82c2d70f-e2f9-f810-2c55-788358a0cb08@gmail.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20331.h
tml
Patch V7: Re-include the changes of Changes.rst and openvpn-plugin.h
Clarify some parts of the documentation.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720142703.3324-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe authored on 2020/07/20 23:27:03Showing 4 changed files
- Changes.rst
- doc/man-sections/generic-options.rst
- doc/man-sections/script-options.rst
- include/openvpn-plugin.h.in
| ... | ... |
@@ -32,6 +32,11 @@ Improved Data channel cipher negotiation |
| 32 | 32 |
Asynchronous (deferred) authentication support for auth-pam plugin. |
| 33 | 33 |
See src/plugins/auth-pam/README.auth-pam for details. |
| 34 | 34 |
|
| 35 |
+Deferred client-connect |
|
| 36 |
+ The ``--client-connect`` option and the connect plugin API allow |
|
| 37 |
+ asynchronous/deferred return of the configuration file in the same way |
|
| 38 |
+ as the auth-plugin. |
|
| 39 |
+ |
|
| 35 | 40 |
Faster connection setup |
| 36 | 41 |
A client will signal in the ``IV_PROTO`` variable that it is in pull |
| 37 | 42 |
mode. This allows the server to push the configuration options to |
| ... | ... |
@@ -394,11 +394,14 @@ which mode OpenVPN is configured as. |
| 394 | 394 |
|
| 395 | 395 |
This directory will be used by in the following cases: |
| 396 | 396 |
|
| 397 |
- * ``--client-connect`` scripts to dynamically generate client-specific |
|
| 398 |
- configuration files. |
|
| 397 |
+ * ``--client-connect`` scripts and :code:`OPENVPN_PLUGIN_CLIENT_CONNECT` |
|
| 398 |
+ plug-in hook to dynamically generate client-specific configuration |
|
| 399 |
+ :code:`client_connect_config_file` and return success/failure via |
|
| 400 |
+ :code:`client_connect_deferred_file` when using deferred client connect |
|
| 401 |
+ method |
|
| 399 | 402 |
|
| 400 |
- * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plugin hook to return |
|
| 401 |
- success/failure via ``auth_control_file`` when using deferred auth |
|
| 403 |
+ * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns |
|
| 404 |
+ success/failure via :code:`auth_control_file` when using deferred auth |
|
| 402 | 405 |
method |
| 403 | 406 |
|
| 404 | 407 |
* :code:`OPENVPN_PLUGIN_ENABLE_PF` plugin hook to pass filtering rules |
| ... | ... |
@@ -137,6 +137,13 @@ SCRIPT HOOKS |
| 137 | 137 |
returns a non-zero error status, it will cause the client to be |
| 138 | 138 |
disconnected. |
| 139 | 139 |
|
| 140 |
+ If a ``--client-connect`` wants to defer the generating of the |
|
| 141 |
+ configuration then the script needs to use the |
|
| 142 |
+ :code:`client_connect_deferred_file` and |
|
| 143 |
+ :code:`client_connect_config_file` environment variables, and write |
|
| 144 |
+ status accordingly into these files. See the `Environmental Variables`_ |
|
| 145 |
+ section for more details. |
|
| 146 |
+ |
|
| 140 | 147 |
--client-disconnect cmd |
| 141 | 148 |
Like ``--client-connect`` but called on client instance shutdown. Will |
| 142 | 149 |
not be called unless the ``--client-connect`` script and plugins (if |
| ... | ... |
@@ -512,6 +519,35 @@ instances. |
| 512 | 512 |
Total number of bytes sent to client during VPN session. Set prior to |
| 513 | 513 |
execution of the ``--client-disconnect`` script. |
| 514 | 514 |
|
| 515 |
+:code:`client_connect_config_file` |
|
| 516 |
+ The path to the configuration file that should be written to by the |
|
| 517 |
+ ``--client-connect`` script (optional, if per-session configuration |
|
| 518 |
+ is desired). This is the same file name as passed via command line |
|
| 519 |
+ argument on the call to the ``--client-connect`` script. |
|
| 520 |
+ |
|
| 521 |
+:code:`client_connect_deferred_file` |
|
| 522 |
+ This file can be optionally written to in order to to communicate a |
|
| 523 |
+ status code of the ``--client-connect`` script or plgin. Only the |
|
| 524 |
+ first character in the file is relevant. It must be either :code:`1` |
|
| 525 |
+ to indicate normal script execution, :code:`0` indicates an error (in |
|
| 526 |
+ the same way that a non zero exit status does) or :code:`2` to indicate |
|
| 527 |
+ that the script deferred returning the config file. |
|
| 528 |
+ |
|
| 529 |
+ For deferred (background) handling, the script or plugin MUST write |
|
| 530 |
+ :code:`2` to the file to indicate the deferral and then return with |
|
| 531 |
+ exit code :code:`0` to signal ``deferred handler started OK``. |
|
| 532 |
+ |
|
| 533 |
+ A background process or similar must then take care of writing the |
|
| 534 |
+ configuration to the file indicated by the |
|
| 535 |
+ :code:`client_connect_config_file` environment variable and when |
|
| 536 |
+ finished, write the a :code:`1` to this file (or :code:`0` in case of |
|
| 537 |
+ an error). |
|
| 538 |
+ |
|
| 539 |
+ The absence of any character in the file when the script finishes |
|
| 540 |
+ executing is interpreted the same as :code:`1`. This allows scripts |
|
| 541 |
+ that are not written to support the defer mechanism to be used |
|
| 542 |
+ unmodified. |
|
| 543 |
+ |
|
| 515 | 544 |
:code:`common_name` |
| 516 | 545 |
The X509 common name of an authenticated client. Set prior to execution |
| 517 | 546 |
of ``--client-connect``, ``--client-disconnect`` and |
| ... | ... |
@@ -557,12 +557,21 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op |
| 557 | 557 |
* OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure |
| 558 | 558 |
* |
| 559 | 559 |
* In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by |
| 560 |
- * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous |
|
| 561 |
- * authentication where the plugin (or one of its agents) may indicate |
|
| 562 |
- * authentication success/failure some number of seconds after the return |
|
| 563 |
- * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single |
|
| 564 |
- * char to the file named by auth_control_file in the environmental variable |
|
| 565 |
- * list (envp). |
|
| 560 |
+ * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_CLIENT_CONNECT and |
|
| 561 |
+ * OPENVPN_PLUGIN_CLIENT_CONNECT_V2. This enables asynchronous |
|
| 562 |
+ * authentication or client connect where the plugin (or one of its agents) |
|
| 563 |
+ * may indicate authentication success/failure or client configuration some |
|
| 564 |
+ * number of seconds after the return of the function handler. |
|
| 565 |
+ * For OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY and OPENVPN_PLUGIN_CLIENT_CONNECT |
|
| 566 |
+ * this is done by writing a single char to the file named by |
|
| 567 |
+ * auth_control_file/client_connect_deferred_file |
|
| 568 |
+ * in the environmental variable list (envp). |
|
| 569 |
+ * |
|
| 570 |
+ * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and |
|
| 571 |
+ * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to |
|
| 572 |
+ * get the deferred result. For a V2 call implementing this function is |
|
| 573 |
+ * required as information is not passed by files. For the normal version |
|
| 574 |
+ * the call is optional. |
|
| 566 | 575 |
* |
| 567 | 576 |
* first char of auth_control_file: |
| 568 | 577 |
* '0' -- indicates auth failure |